Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #72

September 11, 2007

(1) What are the most important things effective application developers do to make sure their programs are as secure as possible? If you are involved in application security, please consider helping with a new community project to build a on consensus secure coding/development guidelines. Your participation will be confidential or we'll give you full credit - at your option. To participate, just share your organization's secure coding guidelines. Send to apaller@sans.org. We'll weave your input in with the secure coding blueprints from the GSSP common body of knowledge and information from CERT/CC and OWASP and, possibly, Gary McGraw and then circulate it back to participants until we can publish a consensus policy document that organizations can adapt for their use.

(2) Just going live: December 3-4 in Orlando: WhatWorks in Stopping Data Leakage and Insider Threat Summithttp://www.sans.org/leakage07_summit/ WhatWorks in Mobile Encryption Summithttp://www.sans.org/encryption07_summit/ "This was my first SANS Summit, and I definitely will attend more. Now I can go back with better knowledge of data security, vendors (key) and what to do when looking for the correct tool to use to protect confidential/business data."- El Dimayuvga, Honda R&D

The right SIM technology offers great benefits to easing compliance requirements. Discover the best practices - based on actual customer experiences - that should be an integral part of your evaluation process when assessing a SIM. Brought to you by, ArcSight, a leading provider of security and compliance management solutions.http://www.sans.org/info/15831

How good are the courses? Here's what past attendees said: "An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life) "This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton) "You will never ever find anything more valuable than SANS super knowledge. Worth the price!!" (Carlos Fragoso, CESCA)

TOP OF THE NEWS

In the wake of a recent report alleging that China's People's Liberation Army was behind a June attack on US Department of Defense computer systems, other countries have begun stepping forward, saying their governments' systems have been targeted by foreign hackers. In New Zealand, attackers breached official websites, stole information, and installed spyware. In France, websites "concerned [with ] the services of the state" were breached. In the weeks prior to the story about the attack on Pentagon computers, Germany reported that its government systems had been infiltrated. -http://www.bangkokpost.com/breaking_news/breakingnews.php?id=121510-http://computerworld.co.nz/news.nsf/scrt/337662022F9A53F5CC25734F000A573B?opendocument&utm_source=-http://www.australianit.news.com.au/story/0,25197,22391592-15306,00.html[Editor's Note (Skoudis): A few months ago, I remarked in NewsBites that we might see a shift in our dominant threat vector toward nation-state cyber attack activity, just as we had seen our threat change from hobbyists to organized crime in the 2003 timeframe. Now, some organizations must consider how they can deal with determined, long-term, well-funded, nation-state adversaries. As an exercise, consider what this changed threat might imply for changes to your defenses. It's good that some of this discussion has (finally!) begun happening in the open over the last couple of weeks. At least some leaders are publicly admitting that there is an issue here, and not merely sweeping it under the rug as they have before. (Ullrich): The short summary: Everybody is attacking everybody. Its just so easy! You will find these accusations in news releases periodically when they are politically convenient, like before larger international meetings. But the fact that you are reading about these intrusions now is not related to their being new or currently particularly bad. ]

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Four Plead Guilty in US $20 Million Pump-and-Dump Scheme (September 10, 2007)

Four men have pleaded guilty to fraud charges stemming from a pump-and-dump scheme that netted the group US $20 million. The group obtained shares of stocks from small corporations and then sent phony emails touting those same companies. They sold the stocks after trading activity generated by the emails had artificially inflated their value. Each of the four faces five years in prison on each fraud charge. Three other people involved in the scheme were sentenced earlier this year. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9035158&source=rss_topic17

A Texas A&M University alumnus has been charged with felony reckless damage to a protected computer for allegedly breaking into the university's network and accessing personally identifiable information of students, faculty and staff without authorization. A breach in the server that holds logins and passwords of the network users was detected earlier this year. Luis Castillo, who received a degree in computer science from the school in December, could face up to five years in prison. -http://www.washingtonpost.com/wp-dyn/content/article/2007/09/06/AR2007090602336_pf.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Computers at Pfizer appear to be sending out spam advertising a variety of products. One report says that nearly 140 IP addresses associated with Pfizer have been linked to the spam. However, the spam does not appear to come from Pfizer itself. The IP addresses used to send the messages are associated with the company, but the "From" addresses have been spoofed. In recent months, Pfizer has acknowledged three security breaches exposing employee data. There has been no connection made between the data security breaches and the spam. -http://www.heise-security.co.uk/news/95645-http://www.zdnet.co.uk/misc/print/0,1000000169,39289155-39001093c,00.htm-http://www.wired.com/politics/security/news/2007/09/pfizerspam[Editor's Note (Ullrich): It has been pointed out a number of times that large corporations, government departments and military installations are frequently hit by the same spam-sending worms that hit home users. In some cases, compromised web sites from these large organizations have even been used to house the advertised websites. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Attackers Target UK eBay Accounts (September 10, 2007)

A botnet is targeting eBay customers, particularly those in the UK, to try to steal account information and change users' settings so that items are sent to the wrong people. The botnet is composed of computers that became infected with a Trojan horse program when they visited seeded websites. In addition, the attackers have set up phishing websites to try to gain access to more eBay accounts. -http://www.theregister.co.uk/2007/09/10/ebay_botnet_attack/print.html

Patient Data on Stolen Computers (September 10, 2007)

Two computers stolen from the offices of McKesson healthcare services company hold personally identifiable information of an undetermined number of patients. McKesson "helps pharmaceutical manufacturers set up assistance programs for patients in need." The company has sent letters to the patients whose data they believe may have been compromised by the theft. -http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201804872

STANDARDS & BEST PRACTICES

NIST Issues Draft of Active Content Guide Draft and Final Version of CVSS (September 6, 2007)

MISCELLANEOUS

Ericsson Hellas Fined in Olympic Wiretap Case (September 6, 2007)

The Hellenic Authority for Information and Communication Security and Privacy (ADAE) has fined Ericsson Hellas 7.36 million Euros (US $10.15 million) in connection with widespread wiretapping of Greek officials' and others' mobile phones during the time of the 2004 Athens Olympics. ADAE has not released any details about the wiretapping case, apart from having indicated that the company's equipment was used to tap the phones. Ericsson Hellas plans to appeal the fine. The Greek unit of Vodafone is also appealing a 76 million Euro (US $104.9 million) fine imposed by ADAE in December 2006. It is not known who placed the wiretaps or for what reasons the phones were tapped. -http://www.reuters.com/article/technology-media-telco-SP/idUSL0682035520070906?pageNumber=1&sp=true

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

The stakes have never been higher for organizations that process and store sensitive information on customers and employees. This webcast will explore the business drivers for encryption of system disks and provide the results of a hands-on evaluation comparing SeagateR DriveTrustT against a software-based approach.

This webcast will focus on the trend toward reuniting Access and Identity and why it is important to consider strong authentication right from the planning phase of a remote access project. We will also review key criteria associated with choosing and deploying two-factor authentication in an enterprise environment.

Well, perhaps that is a stretch, but Log Management is incredibly valuable to help solve a host of other real problems in IT beyond simple compliance. Compliance drives most log management purchases but IT Managers are constantly challenged to maximize investments in technology.

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/